|
Medium |
Content Security Policy (CSP) Header Not Set |
| Description |
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
|
|
| URL |
http://NPM:3000 |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 216 bytes.
|
GET http://NPM:3000 HTTP/1.1
host: NPM:3000
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 12:58:41 GMT
ETag: W/"7c3-18d554cec94"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 12:59:16 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/ |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 315 bytes.
|
GET http://npm:3000/ HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Upgrade-Insecure-Requests: 1
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 12:58:41 GMT
ETag: W/"7c3-18d554cec94"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 12:59:24 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/.git/assets/public/favicon_js.ico |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 139 bytes.
|
GET http://npm:3000/.git/assets/public/favicon_js.ico HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 12:58:41 GMT
ETag: W/"7c3-18d554cec94"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 12:59:16 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://NPM:3000/.git/index |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 116 bytes.
|
GET http://NPM:3000/.git/index HTTP/1.1
host: NPM:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 12:58:41 GMT
ETag: W/"7c3-18d554cec94"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 12:59:16 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/.git/main.js |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 118 bytes.
|
GET http://npm:3000/.git/main.js HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 12:58:41 GMT
ETag: W/"7c3-18d554cec94"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 12:59:16 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/.git/polyfills.js |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 123 bytes.
|
GET http://npm:3000/.git/polyfills.js HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 12:58:41 GMT
ETag: W/"7c3-18d554cec94"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 12:59:16 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/.git/runtime.js |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 121 bytes.
|
GET http://npm:3000/.git/runtime.js HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 12:58:41 GMT
ETag: W/"7c3-18d554cec94"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 12:59:16 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/.git/styles.css |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 121 bytes.
|
GET http://npm:3000/.git/styles.css HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 12:58:41 GMT
ETag: W/"7c3-18d554cec94"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 12:59:16 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/.git/vendor.js |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 120 bytes.
|
GET http://npm:3000/.git/vendor.js HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 12:58:41 GMT
ETag: W/"7c3-18d554cec94"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 12:59:16 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://NPM:3000/.svn/entries |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 118 bytes.
|
GET http://NPM:3000/.svn/entries HTTP/1.1
host: NPM:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 12:58:41 GMT
ETag: W/"7c3-18d554cec94"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 12:59:16 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://NPM:3000/.svn/wc.db |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 116 bytes.
|
GET http://NPM:3000/.svn/wc.db HTTP/1.1
host: NPM:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 12:58:41 GMT
ETag: W/"7c3-18d554cec94"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 12:59:16 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/ftp |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 109 bytes.
|
GET http://npm:3000/ftp HTTP/1.1
host: npm:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 338 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Content-Type: text/html; charset=utf-8
Content-Length: 11083
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 12:59:16 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 11,072 bytes.
|
<!DOCTYPE html>
<html>
<head>
<meta charset='utf-8'>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
<title>listing directory /ftp</title>
<style>* {
margin: 0;
padding: 0;
outline: 0;
}
body {
padding: 80px 100px;
font: 13px "Helvetica Neue", "Lucida Grande", "Arial";
background: #ECE9E9 -webkit-gradient(linear, 0% 0%, 0% 100%, from(#fff), to(#ECE9E9));
background: #ECE9E9 -moz-linear-gradient(top, #fff, #ECE9E9);
background-repeat: no-repeat;
color: #555;
-webkit-font-smoothing: antialiased;
}
h1, h2, h3 {
font-size: 22px;
color: #343434;
}
h1 em, h2 em {
padding: 0 5px;
font-weight: normal;
}
h1 {
font-size: 60px;
}
h2 {
margin-top: 10px;
}
h3 {
margin: 5px 0 10px 0;
padding-bottom: 5px;
border-bottom: 1px solid #eee;
font-size: 18px;
}
ul li {
list-style: none;
}
ul li:hover {
cursor: pointer;
color: #2e2e2e;
}
ul li .path {
padding-left: 5px;
font-weight: bold;
}
ul li .line {
padding-right: 5px;
font-style: italic;
}
ul li:first-child .path {
padding-left: 0;
}
p {
line-height: 1.5;
}
a {
color: #555;
text-decoration: none;
}
a:hover {
color: #303030;
}
#stacktrace {
margin-top: 15px;
}
.directory h1 {
margin-bottom: 15px;
font-size: 18px;
}
ul#files {
width: 100%;
height: 100%;
overflow: hidden;
}
ul#files li {
float: left;
width: 30%;
line-height: 25px;
margin: 1px;
}
ul#files li a {
display: block;
height: 25px;
border: 1px solid transparent;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
overflow: hidden;
white-space: nowrap;
}
ul#files li a:focus,
ul#files li a:hover {
background: rgba(255,255,255,0.65);
border: 1px solid #ececec;
}
ul#files li a.highlight {
-webkit-transition: background .4s ease-in-out;
background: #ffff4f;
border-color: #E9DC51;
}
#search {
display: block;
position: fixed;
top: 20px;
right: 20px;
width: 90px;
-webkit-transition: width ease 0.2s, opacity ease 0.4s;
-moz-transition: width ease 0.2s, opacity ease 0.4s;
-webkit-border-radius: 32px;
-moz-border-radius: 32px;
-webkit-box-shadow: inset 0px 0px 3px rgba(0, 0, 0, 0.25), inset 0px 1px 3px rgba(0, 0, 0, 0.7), 0px 1px 0px rgba(255, 255, 255, 0.03);
-moz-box-shadow: inset 0px 0px 3px rgba(0, 0, 0, 0.25), inset 0px 1px 3px rgba(0, 0, 0, 0.7), 0px 1px 0px rgba(255, 255, 255, 0.03);
-webkit-font-smoothing: antialiased;
text-align: left;
font: 13px "Helvetica Neue", Arial, sans-serif;
padding: 4px 10px;
border: none;
background: transparent;
margin-bottom: 0;
outline: none;
opacity: 0.7;
color: #888;
}
#search:focus {
width: 120px;
opacity: 1.0;
}
/*views*/
#files span {
display: inline-block;
overflow: hidden;
text-overflow: ellipsis;
text-indent: 10px;
}
#files .name {
background-repeat: no-repeat;
}
#files .icon .name {
text-indent: 28px;
}
/*tiles*/
.view-tiles .name {
width: 100%;
background-position: 8px 5px;
}
.view-tiles .size,
.view-tiles .date {
display: none;
}
/*details*/
ul#files.view-details li {
float: none;
display: block;
width: 90%;
}
ul#files.view-details li.header {
height: 25px;
background: #000;
color: #fff;
font-weight: bold;
}
.view-details .header {
border-radius: 5px;
}
.view-details .name {
width: 60%;
background-position: 8px 5px;
}
.view-details .size {
width: 10%;
}
.view-details .date {
width: 30%;
}
.view-details .size,
.view-details .date {
text-align: right;
direction: rtl;
}
/*mobile*/
@media (max-width: 768px) {
body {
font-size: 13px;
line-height: 16px;
padding: 0;
}
#search {
position: static;
width: 100%;
font-size: 2em;
line-height: 1.8em;
text-indent: 10px;
border: 0;
border-radius: 0;
padding: 10px 0;
margin: 0;
}
#search:focus {
width: 100%;
border: 0;
opacity: 1;
}
.directory h1 {
font-size: 2em;
line-height: 1.5em;
color: #fff;
background: #000;
padding: 15px 10px;
margin: 0;
}
ul#files {
border-top: 1px solid #cacaca;
}
ul#files li {
float: none;
width: auto !important;
display: block;
border-bottom: 1px solid #cacaca;
font-size: 2em;
line-height: 1.2em;
text-indent: 0;
margin: 0;
}
ul#files li:nth-child(odd) {
background: #e0e0e0;
}
ul#files li a {
height: auto;
border: 0;
border-radius: 0;
padding: 15px 10px;
}
ul#files li a:focus,
ul#files li a:hover {
border: 0;
}
#files .header,
#files .size,
#files .date {
display: none !important;
}
#files .name {
float: none;
display: inline-block;
width: 100%;
text-indent: 0;
background-position: 0 50%;
}
#files .icon .name {
text-indent: 41px;
}
}
#files .icon-directory .name {
background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAABGdBTUEAALGPC/xhBQAAAWtQTFRFAAAA/PPQ9Nhc2q402qQ12qs2/PTX2pg12p81+/LM89NE9dto2q82+/fp2rM22qY39d6U+/bo2qo2/frx/vz32q812qs12qE279SU8c4w9NZP+/LK//367s9y7s925cp0/vzw9t92//342po2/vz25s1579B6+OSO2bQ0/v799NyT8tE79dld8Msm+OrC/vzx79KA2IYs7s6I9d6R4cJe9+OF/PLI/fry79OF/v30//328tWB89RJ8c9p8c0u9eCf//7+9txs6sts5Mdr+++5+u2z/vrv+/fq6cFz8dBs8tA57cpq+OaU9uGs27Y8//799NdX/PbY9uB89unJ//z14sNf+emh+emk+vDc+uys9+OL8dJy89NH+eic8tN5+OaV+OWR9N2n9dtl9t529+KF9+GB9Nue9NdU8tR/9t5y89qW9dpj89iO89eG/vvu2pQ12Y4z/vzy2Ict/vvv48dr/vzz4sNg///+2Igty3PqwQAAAAF0Uk5TAEDm2GYAAACtSURBVBjTY2AgA2iYlJWVhfohBPg0yx38y92dS0pKVOVBAqIi6sb2vsWWpfrFeTI8QAEhYQEta28nCwM1OVleZqCAmKCEkUdwYWmhQnFeOStQgL9cySqkNNDHVJGbiY0FKCCuYuYSGRsV5KgjxcXIARRQNncNj09JTgqw0ZbkZAcK5LuFJaRmZqfHeNnpSucDBQoiEtOycnIz4qI9bfUKQA6pKKqAgqIKQyK8BgAZ5yfODmnHrQAAAABJRU5ErkJggg==);
}
#files .icon-text .name {
background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAQAAAC1+jfqAAAABGdBTUEAAK/INwWK6QAAABl0RVh0U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAADoSURBVBgZBcExblNBGAbA2ceegTRBuIKOgiihSZNTcC5LUHAihNJR0kGKCDcYJY6D3/77MdOinTvzAgCw8ysThIvn/VojIyMjIyPP+bS1sUQIV2s95pBDDvmbP/mdkft83tpYguZq5Jh/OeaYh+yzy8hTHvNlaxNNczm+la9OTlar1UdA/+C2A4trRCnD3jS8BB1obq2Gk6GU6QbQAS4BUaYSQAf4bhhKKTFdAzrAOwAxEUAH+KEM01SY3gM6wBsEAQB0gJ+maZoC3gI6iPYaAIBJsiRmHU0AALOeFC3aK2cWAACUXe7+AwO0lc9eTHYTAAAAAElFTkSuQmCC);
}
#files .icon-default .name {
background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAQAAAC1+jfqAAAABGdBTUEAAK/INwWK6QAAABl0RVh0U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAC4SURBVCjPdZFbDsIgEEWnrsMm7oGGfZrohxvU+Iq1TyjU60Bf1pac4Yc5YS4ZAtGWBMk/drQBOVwJlZrWYkLhsB8UV9K0BUrPGy9cWbng2CtEEUmLGppPjRwpbixUKHBiZRS0p+ZGhvs4irNEvWD8heHpbsyDXznPhYFOyTjJc13olIqzZCHBouE0FRMUjA+s1gTjaRgVFpqRwC8mfoXPPEVPS7LbRaJL2y7bOifRCTEli3U7BMWgLzKlW/CuebZPAAAAAElFTkSuQmCC);
}
</style>
<script>
function $(id){
var el = 'string' == typeof id
? document.getElementById(id)
: id;
el.on = function(event, fn){
if ('content loaded' == event) {
event = window.attachEvent ? "load" : "DOMContentLoaded";
}
el.addEventListener
? el.addEventListener(event, fn, false)
: el.attachEvent("on" + event, fn);
};
el.all = function(selector){
return $(el.querySelectorAll(selector));
};
el.each = function(fn){
for (var i = 0, len = el.length; i < len; ++i) {
fn($(el[i]), i);
}
};
el.getClasses = function(){
return this.getAttribute('class').split(/\s+/);
};
el.addClass = function(name){
var classes = this.getAttribute('class');
el.setAttribute('class', classes
? classes + ' ' + name
: name);
};
el.removeClass = function(name){
var classes = this.getClasses().filter(function(curr){
return curr != name;
});
this.setAttribute('class', classes.join(' '));
};
return el;
}
function search() {
var str = $('search').value.toLowerCase();
var links = $('files').all('a');
links.each(function(link){
var text = link.textContent.toLowerCase();
if ('..' == text) return;
if (str.length && ~text.indexOf(str)) {
link.addClass('highlight');
} else {
link.removeClass('highlight');
}
});
}
$(window).on('content loaded', function(){
$('search').on('keyup', search);
});
</script>
</head>
<body class="directory">
<input id="search" type="text" placeholder="Search" autocomplete="off" />
<div id="wrapper">
<h1><a href=".">~</a> / <a href="ftp">ftp</a></h1>
<ul id="files" class="view-tiles"><li><a href="ftp/quarantine" class="icon icon-directory" title="quarantine"><span class="name">quarantine</span><span class="size"></span><span class="date">1/29/2024 12:55:51 PM</span></a></li>
<li><a href="ftp/acquisitions.md" class="icon icon icon-md icon-text" title="acquisitions.md"><span class="name">acquisitions.md</span><span class="size">909</span><span class="date">1/29/2024 12:55:51 PM</span></a></li>
<li><a href="ftp/announcement_encrypted.md" class="icon icon icon-md icon-text" title="announcement_encrypted.md"><span class="name">announcement_encrypted.md</span><span class="size">369237</span><span class="date">1/29/2024 12:55:51 PM</span></a></li>
<li><a href="ftp/coupons_2013.md.bak" class="icon icon icon-bak icon-default" title="coupons_2013.md.bak"><span class="name">coupons_2013.md.bak</span><span class="size">131</span><span class="date">1/29/2024 12:55:51 PM</span></a></li>
<li><a href="ftp/eastere.gg" class="icon icon icon-gg icon-default" title="eastere.gg"><span class="name">eastere.gg</span><span class="size">324</span><span class="date">1/29/2024 12:55:51 PM</span></a></li>
<li><a href="ftp/encrypt.pyc" class="icon icon icon-pyc icon-default" title="encrypt.pyc"><span class="name">encrypt.pyc</span><span class="size">573</span><span class="date">1/29/2024 12:55:51 PM</span></a></li>
<li><a href="ftp/incident-support.kdbx" class="icon icon icon-kdbx icon-default" title="incident-support.kdbx"><span class="name">incident-support.kdbx</span><span class="size">3246</span><span class="date">1/29/2024 12:55:51 PM</span></a></li>
<li><a href="ftp/legal.md" class="icon icon icon-md icon-text" title="legal.md"><span class="name">legal.md</span><span class="size">3047</span><span class="date">1/29/2024 12:58:39 PM</span></a></li>
<li><a href="ftp/package.json.bak" class="icon icon icon-bak icon-default" title="package.json.bak"><span class="name">package.json.bak</span><span class="size">4291</span><span class="date">1/29/2024 12:55:51 PM</span></a></li>
<li><a href="ftp/suspicious_errors.yml" class="icon icon icon-yml icon-text" title="suspicious_errors.yml"><span class="name">suspicious_errors.yml</span><span class="size">723</span><span class="date">1/29/2024 12:55:51 PM</span></a></li></ul>
</div>
</body>
</html>
|
| URL |
http://NPM:3000/sitemap.xml |
| Method |
GET |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 117 bytes.
|
GET http://NPM:3000/sitemap.xml HTTP/1.1
host: NPM:3000
user-agent:
pragma: no-cache
cache-control: no-cache
|
| Request Body
- size: 0 bytes.
|
|
| Response Header
- size: 466 bytes.
|
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 29 Jan 2024 12:58:41 GMT
ETag: W/"7c3-18d554cec94"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Mon, 29 Jan 2024 12:59:16 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 1,987 bytes.
|
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": { "background": "#546e7a", "text": "#ffffff" },
"button": { "background": "#558b2f", "text": "#ffffff" }
},
"theme": "classic",
"position": "bottom-right",
"content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
})});
</script>
<style>.bluegrey-lightgreen-theme.mat-app-background{background-color:#303030;color:#fff}@charset "UTF-8";@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
<app-root></app-root>
<script src="runtime.js" type="module"></script><script src="polyfills.js" type="module"></script><script src="vendor.js" type="module"></script><script src="main.js" type="module"></script>
</body></html>
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJPf1&sid=KFEN3mY0AqgMbN1gAAAA |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 384 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJPf1&sid=KFEN3mY0AqgMbN1gAAAA HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 12:59:25 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJQUh&sid=WB5i95hgJysuuml_AAAC |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 405 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJQUh&sid=WB5i95hgJysuuml_AAAC HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
Cookie: language=en
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 12:59:29 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJRXQ&sid=wFy1HMCkZDFky_emAAAE |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 384 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJRXQ&sid=wFy1HMCkZDFky_emAAAE HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 12:59:33 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJSdx&sid=3bmoESGQOm32o5q1AAAG |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 384 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJSdx&sid=3bmoESGQOm32o5q1AAAG HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 12:59:37 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJTp4&sid=ZArS7vr8ft4vk5snAAAI |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 384 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJTp4&sid=ZArS7vr8ft4vk5snAAAI HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 12:59:42 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJVa-&sid=hx1hLe_C4oNYtmcWAAAM |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 405 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJVa-&sid=hx1hLe_C4oNYtmcWAAAM HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
Cookie: language=en
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 12:59:49 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJVEl&sid=cJCQZxf2NjVC4AwjAAAK |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 384 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJVEl&sid=cJCQZxf2NjVC4AwjAAAK HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 12:59:48 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJVrs&sid=6D9pGOzltWootN92AAAN |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 435 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJVrs&sid=6D9pGOzltWootN92AAAN HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
Cookie: language=en; welcomebanner_status=dismiss
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 12:59:51 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| URL |
http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJWMa&sid=4iJ_bokEJUrPyOpuAAAQ |
| Method |
POST |
| Parameter |
|
| Attack |
|
| Evidence |
|
|
|
|
| Request Header
- size: 405 bytes.
|
POST http://npm:3000/socket.io/?EIO=4&transport=polling&t=OrLJWMa&sid=4iJ_bokEJUrPyOpuAAAQ HTTP/1.1
host: npm:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://npm:3000/
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://npm:3000
Connection: keep-alive
Cookie: language=en
|
| Request Body
- size: 2 bytes.
|
40
|
| Response Header
- size: 147 bytes.
|
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2
Date: Mon, 29 Jan 2024 12:59:53 GMT
Connection: keep-alive
Keep-Alive: timeout=5
|
| Response Body
- size: 2 bytes.
|
ok
|
| Instances |
22 |
| Solution |
Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
|
| Reference |
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
http://www.w3.org/TR/CSP/
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
http://caniuse.com/#feat=contentsecuritypolicy
http://content-security-policy.com/
|
| Tags |
OWASP_2021_A05
OWASP_2017_A06
|
| CWE Id |
693 |
| WASC Id |
15 |
| Plugin Id |
10038 |